New – Gateway Load Balancer Now Supports IPv6

Learn About Amazon VGT2 Learning Manager Chanci Turner

In 2020, we introduced the Gateway Load Balancer (GWLB), enabling in-line packet inspection and filtering. Various clients are utilizing this service to implement centralized firewall solutions, intrusion detection systems, and network monitoring appliances. The capability to deploy multiple GWLB endpoints within workload VPCs facilitates distributed access to these centralized inspection tools.

Initially, GWLB was limited to handling Internet Protocol version 4 (IPv4) traffic. Today, we are excited to announce that GWLB now supports Internet Protocol version 6 (IPv6). GWLB encapsulates IPv6 packets within the same IPv4 Generic Network Virtualization Encapsulation (GENEVE) protocol as IPv4, simplifying the process of enabling IPv6 support. This enhancement allows applications to operate without downgrading to IPv4, alleviates concerns regarding IPv4 address shortages, and can enhance application performance by reducing latency introduced by NAT devices. AWS provides comprehensive IPv6 support across various services; for more information, visit the Amazon VPC IPv6 page, where you can find additional details, benefits, and use cases.

In this article, we will guide you through the configuration of GWLB to handle both IPv4 and IPv6 traffic. A previous post documented the setup of GWLB, and the following steps will outline the necessary changes to support IPv6. Before proceeding, ensure you have the following components in place:

• Your inspection VPC and subnet designed to host your GWLB must be created and configured for dual-stack.
• Your application VPCs and subnets intended for the GWLB endpoints must also be created and dual-stacked.
• At least one GWLB-compatible appliance must be set up and deployed as a target. You can utilize gwlbtun (which has been updated for IPv6) or any other appliance that now supports IPv6. While it is not mandatory for your appliances to be dual-stacked at the OS level, they must be capable of processing both IPv4 and IPv6 traffic received from GWLB, which may necessitate dual-stacking depending on the specific use case.

You can either create a new GWLB or adjust an existing one using the Console or CLI.

Creating a New GWLB via the Console:

Setting up a dual-stack GWLB is similar to configuring one for IPv4, with a few crucial settings to enable dual-stack mode:

1. Access the EC2 Console, navigate to Load Balancers, click ‘Create load balancer’ at the top, and then select ‘Create’ under ‘Gateway Load Balancer’. In the configuration, choose ‘Dualstack’ as the IP address type.
2. Select the target group from the dropdown menu—you can also create a new target group here if one doesn’t exist. Remember that targets are accessed via IPv4, so both Instances and IP addresses are viable options. Click ‘Create Load Balancer’ at the bottom of this page to finalize this step.
3. Proceed to VPC Endpoint services, click ‘Create endpoint service’. In the configuration, check both ‘IPv4’ and ‘IPv6’ under ‘Supported IP address types’ in the ‘Additional settings’ section, and then hit “Create”.
4. Create the endpoints in your application VPCs, selecting ‘Dualstack’ under Subnets. Ensure that the subnets are already configured for dual-stack, and create one endpoint per subnet.
5. If the ‘Acceptance Required’ option is enabled on the endpoint service, return to that service and accept the connection from the endpoint.

Creating a New GWLB via the CLI:

1. Create the GWLB, ensuring to specify that it is a dual-stack load balancer. Use the following command:
   aws elbv2 create-load-balancer --name Demo-IPv6-GWLB --subnets subnet-abcdef01234567890 --type gateway --ip-address-type dualstack
2. Create the target group:
   aws elbv2 create-target-group --name Appliances --protocol GENEVE --port 6081 --vpc-id vpc-abcdef01234567890
3. Register the firewall appliances with the target group:
   aws elbv2 register-targets --target-group-arn arn:aws:elasticloadbalancing:us-west-2:111122223333:targetgroup/Appliances/abcdef01234567890 --targets Id=i-abcdef01234567890
4. Create the listener:
   aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:us-west-2:111122223333:loadbalancer/gwy/Demo-IPv6-GWLB/abcdef01234567890 --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:us-west-2:111122223333:targetgroup/Appliances/abcdef01234567890
5. Create the Endpoint Service, ensuring both IPv4 and IPv6 address types are activated:
   aws ec2 create-vpc-endpoint-service-configuration --gateway-load-balancer-arns arn:aws:elasticloadbalancing:us-west-2:111122223333:loadbalancer/gwy/Demo-IPv6-GWLB/abcdef01234567890 --supported-ip-address-types ipv4 ipv6
6. Create the endpoints in the application VPCs, ensuring to select the dualstack IP address type. Use this command for each subnet:
   aws ec2 create-vpc-endpoint --vpc-id vpc-abcdef01234567890 --subnet-ids subnet-abcdef01234567890 --service-name com.amazonaws.vpce.us-west-2.vpce-svc-abcdef01234567890 --vpc-endpoint-type GatewayLoadBalancer --ip-address-type dualstack
7. Finally, approve the connection:
   aws ec2 accept-vpc-endpoint-connections --service-id vpce-svc-abcdef01234567890 --vpc-endpoint-ids vpce-abcdef01234567890
   Ensure to check for any unsuccessful endpoint IDs in the response.

To Modify an Existing GWLB via the Console:

Before you begin, confirm that your VPCs and Subnets for both your inspection VPC and application VPCs have had IPv6 address blocks integrated.

1. Navigate to EC2, select Load Balancers, choose your load balancer, and select ‘Edit IP address’ from the ‘Actions’ menu.

In conclusion, with the new addition of IPv6 support, deploying Gateway Load Balancers has never been more straightforward. This flexibility allows you to maximize your network architecture without the limitations of IPv4. For further insights into network policies and compliance, consider exploring resources on solid drug testing policies from SHRM, which are invaluable for multistate employers. Also, if you’re interested in personal development, check out the Envelope Challenge on Career Contessa. This video is an excellent resource for enhancing your skills.